Remote Logging with Syslog¶
The Remote Logging options under Status > System Logs on the Settings tab allow syslog to copy log entries to a remote server.
The logs kept by pfSense on the firewall itself are of a finite size and they are cleared on reboot on NanoBSD. Copying these entries to a syslog server can aid troubleshooting and enable long-term monitoring. Having a remote copy can also help diagnose events that occur before a firewall restarts or after they would have otherwise been lost due to clearing of the logs or when older entries are cycled out of the log, and in cases when local storage has failed but the network remains active.
Corporate or local legislative policies may dictate the length of time logs must be retained from firewalls and similar devices. If an organization requires long-term log retention for their own or government purposes, a remote syslog server is required to receive and retain these logs.
To start logging remotely:
- Navigate to Status > System Logs on the Settings tab
- Check Send log messages to remote syslog server
- Configure the options as follows:
Controls where the
When choosing an interface for the Source Address, this option
|Remote Log Servers:|
Enter up to three remote servers using the boxes contained
in this section. Each remote server can use either an IP address or hostname,
and an optional port number. If the port is not specified, the default
A syslog server is typically a server that is directly reachable from the pfSense firewall on a local interface. Logging can also be sent to a server across a VPN.
Do not send log data directly across any WAN connection or unencrypted site-to-site link, as it is plain text and could contain sensitive information.
|Remote Syslog Contents:|
The options in this section control which log messages will be sent to the remote log server.
- Click Save to store the changes.
If a syslog server is not already available, it is fairly easy to set one up. See Syslog Server on Windows with Kiwi Syslog for information on setting up Kiwi Syslog on Windows. Almost any UNIX or UNIX-like system can be used as a syslog server. FreeBSD is described in the following section, but others may be similar.
Configuring a Syslog Server on FreeBSD¶
Setting up a syslog server on a FreeBSD server requires only a couple steps. In
this example, replace
192.168.1.1 with the IP address of the firewall,
exco-rtr with the hostname of the firewall, and replace
exco-rtr.example.com with the full hostname and domain of the firewall. This
192.168.1.1 because the best practice is to send syslog
messages using the internal address of a firewall, not a WAN interface.
These changes must all be made on the syslog server, not on the firewall.
First, the firewall will likely need an entry in
/etc/hosts containing the
address and name of the firewall:
192.168.1.1 exco-rtr exco-rtr.example.com
Then adjust the startup flags for
syslogd to accept syslog messages from the
/etc/rc.conf and add this line if it does not exist, or add
this option to the existing line for the setting:
syslogd_flags=" -a 192.168.1.1"
Lastly, add lines to
/etc/syslog.conf to catch log entries from this host.
Underneath any other existing entries, add the following lines:
!* +* +exco-rtr *.* /var/log/exco-rtr.log
Those lines will reset the program and host filters, then set a
host filter for this firewall using the short name as entered in
/etc/syslog.conf on the pfSense firewall for ideas about
filtering the logs for various services into separate log files on the syslog
After these changes,
syslogd must be restarted . On FreeBSD this
is one simple command:
# service syslogd restart
Now look at the log file on the syslog server and if the configuration is correct, it will be populating the logs with entries as activity happens on the firewall.